My app opens a link to an external website inside a webview. We do not control that external website. It works fine if I open this link in a mobile browser, or in a browser on PC etc. The certificate is "trusted" in each case. However in Android webview I get "Untrusted Certificate" error, and google policy does not allow me to simply ignore the error. What can be this issue? Is this a bug in Webview?
Browsers, in general, handle certificates a little bit different to work around issues as the one you encountered. I'm not familiar with browsers internals to point what is exactly different but I suggest they hold a list of trusted Certificate Authorities (CA) that is updated regularly, more frequently than a list of trusted CAs stored on the device.
Received certificates can be trusted:
You will have to work around this issue by providing modified SSLContext. How to provide modified SSLContext can be found here.
This is not your case, but the issue can also arise when a certificate is self-signed. This is what I've encountered when developing applications and connecting to TLS enabled backend that uses a self-signed certificate.